Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Int. Secure Systems LabVienna University of Technology
Inspector GadgetAutomated Extraction of Proprietary
Gadgets from Malware Binaries
Clemens KOLBITSCH Thorsten HOLZ
Engin KIRDA Christopher KRUEGEL
Int. Secure Systems LabVienna University of Technology, Institute Eurecom Sophia Antipolis, UC Santa Barbara
Inspector Gadget 2
Int. Secure Systems LabVienna University of Technology
Motivation
• Analysis of malicious code is challenging
Inspector Gadget 3
Int. Secure Systems LabVienna University of Technology
Motivation
• Analysis of malicious code is challenging
• Looking at the inner workings of every samples has become infeasible– … due to various obfuscation techniques– … due to analysis resistance (e.g., anti-debugging
techniques)– … due to the huge number of malware families / variants
Inspector Gadget 4
Int. Secure Systems LabVienna University of Technology
Motivation
• Analysis of malicious code is challenging
76 172 submissions
58 041 new samplesAnubis
Inspector Gadget 5
Int. Secure Systems LabVienna University of Technology
Motivation
• Analysis of malicious code is challenging
• Looking at the inner workings of every samples has become infeasible– … due to various obfuscation techniques– … due to analysis resistance (e.g., anti-debugging
techniques)– … due to the huge number of malware families / variants
• Results of dynamic analys is cluttered by other behavior sample is capable of
Inspector Gadget 6
Int. Secure Systems LabVienna University of Technology
Motivation
• Results of dynamic analys is cluttered by other behavior sample is capable of
binaryupdate
binaryupdate
componentinstallation
componentinstallation
C & Ccommunication
C & Ccommunication
spamtemplating
spamtemplating
targetselection
targetselection
C & Clocation
C & Clocation
220 mx.google.com250google250PIPELINING250SIZE 10240000250VRFY250STARTTLS
220 mx.google.com250google250PIPELINING250SIZE 10240000250VRFY250STARTTLS
armzasn.netkevflnwroo.comdzqbpieiy.inforqkixea.bizkomug.netvhiax.org
armzasn.netkevflnwroo.comdzqbpieiy.inforqkixea.bizkomug.netvhiax.org
Inspector Gadget 7
Int. Secure Systems LabVienna University of Technology
Motivation
• Results of dynamic analysis cluttered by other behavior sample is capable of
• Dynamic analysis is very resource consuming...
• … and only provides temporary snapshot– malicious behavior might dependent on
• analysis date & time• analysis environment (e.g., username, host OS, …)• availability of remote resources (e.g., C&C hosts)
– needs to be repeatedly performed on single sample• at different points in time• preferably on different systems• even more time/resource consuming
Inspector Gadget 8
Int. Secure Systems LabVienna University of Technology
Motivation – Inspector
Wouldn't it be cool if we were able to extract asingle behavior into a standalone component and
use this to re-invoke the behavior?
• Removes clutter from analysis results
• Independent of other malicious activity– can be executed without virtual environment
• Easy to replay in a different situation such as– point in time– operating system
Inspector Gadget 9
Int. Secure Systems LabVienna University of Technology
Motivating Example
• Conficker Domain Generation Algorithm (DGA)– decides which remote host to contact for C&C– domain depends on current time– current time is fetched from a remote host (e.g., msn)
Inspector Gadget 10
Int. Secure Systems LabVienna University of Technology
Motivating Example
• Conficker Domain Generation Algorithm (DGA)– decides which remote host to contact for C&C– domain depends on current time– current time is fetched from a remote host (e.g., msn)binary
update
binaryupdate
componentinstallation
componentinstallation
C & Ccommunication
C & Ccommunication
spamtemplating
spamtemplating
targetselection
targetselection
C & Clocation
C & Clocation
220 mx.google.com250google250PIPELINING250SIZE 10240000250VRFY250STARTTLS
220 mx.google.com250google250PIPELINING250SIZE 10240000250VRFY250STARTTLS
armzasn.netkevflnwroo.comdzqbpieiy.inforqkixea.bizkomug.netvhiax.org
armzasn.netkevflnwroo.comdzqbpieiy.inforqkixea.bizkomug.netvhiax.org
armzasn.netkevflnwroo.comdzqbpieiy.inforqkixea.bizkomug.netvhiax.org
armzasn.netkevflnwroo.comdzqbpieiy.inforqkixea.bizkomug.netvhiax.org
Inspector Gadget 11
Int. Secure Systems LabVienna University of Technology
Outline
• Motivation– dynamic analysis reveals limited, temporary behavior
• Behavior analysis & extraction– storing identified behavior into gadget
• Behavior re-invocation– gadget player– gadget inversion
• So... again, why...?– benefit recap
• Gadget examples
Inspector Gadget 12
Int. Secure Systems LabVienna University of Technology
Behavior Analysisand Extraction
Inspector Gadget 13
Int. Secure Systems LabVienna University of Technology
Extraction Overview
4 stepprocess
Inspector Gadget 14
Int. Secure Systems LabVienna University of Technology
Extraction Overview
Anubiscontrol flow &instructions
API taint dependencies
step 1:dynamicanalysis
memoryaccesses
Find interesting behavior thatis to be extracted.Example: Hm, to which domain
am I connecting here??
Find interesting behavior thatis to be extracted.Example: Hm, to which domain
am I connecting here??
Inspector Gadget 15
Int. Secure Systems LabVienna University of Technology
Extraction Overview
Anubis
step 2:behavior
identification
control flow &instructions
control flow. outcome: API call / flow position
control flow. outcome: API call / flow position
Map selected behavior to analyzedprocess & thread, API accesses and
Inspector Gadget 16
Int. Secure Systems LabVienna University of Technology
Extraction Overview
Anubis
step 2.1:identificationrefinement
control flow &instructions
Find and suggest data manipulatinginstructions after chosen API call.Possibly refine chosen position toinclude the data processing.
Find and suggest data manipulatinginstructions after chosen API call.Possibly refine chosen position toinclude the data processing.
Inspector Gadget 17
Int. Secure Systems LabVienna University of Technology
API taint dependencies
memoryaccesses
step 3:backwardprogramslicing
control flow &instructions
API taint dependencies
memoryaccesses
Extraction Overview
call func1 add %esp ... call func2 add %esp call func3
call func1 add %esp ... call func2 add %esp call func3
DnsQuery_WDnsQuery_W
call StartS pop %eax push “abc” call DnsQry
call StartS pop %eax push “abc” call DnsQry
StartServiceStartService DnsQuery_WDnsQuery_W
call StartS pop %eax push “abc” call DnsQry
call StartS pop %eax push “abc” call DnsQry
StartServiceStartService DnsQuery_WDnsQuery_W
call func1 add %esp ... call func2 add %esp call func3
call func1 add %esp ... call func2 add %esp call func3
Inspector Gadget 18
Int. Secure Systems LabVienna University of Technology
API taint dependencies
memoryaccesses
step 3:backwardprogramslicing
control flow &instructions
API taint dependencies
memoryaccesses
Extraction Overview
call func1 add %esp ... call func2 add %esp call func3
call func1 add %esp ... call func2 add %esp call func3
DnsQuery_WDnsQuery_W
call StartS pop %eax push “abc” call DnsQry
call StartS pop %eax push “abc” call DnsQry
StartServiceStartService DnsQuery_WDnsQuery_W
call StartS pop %eax push “abc” call DnsQry
call StartS pop %eax push “abc” call DnsQry
StartServiceStartService DnsQuery_WDnsQuery_W
call func1 add %esp ... call func2 add %esp call func3
call func1 add %esp ... call func2 add %esp call func3
connectconnect
recvrecv
WSAStartupWSAStartup
... call connect jmp L_1L_0: call recv ...L_1: test %eax je L_0
... call connect jmp L_1L_0: call recv ...L_1: test %eax je L_0
Inspector Gadget 19
Int. Secure Systems LabVienna University of Technology
Extraction Overview
step 4:gadget
creation
Inspector Gadget 20
Int. Secure Systems LabVienna University of Technology
Extraction Overview
step 4:gadget
creation
001E:1000001E:1004001E:1008001E:100C001E:1010001E:1014001E:1018001E:101C001E:1020001E:1024001E:1028001E:102C001E:1030001E:1034001E:1038001E:103C001E:1040001E:1044
call <001E:1018>add %espcall <001E:103C>
call connectcall recv...test %eaxje <001E:101C>...push “abc”call DnsQuery_W fu
nc3
func
2m
ain
001E:1000001E:1004001E:1008001E:100C001E:1010001E:1014001E:1018001E:101C001E:1020001E:1024001E:1028001E:102C001E:1030001E:1034001E:1038001E:103C001E:1040001E:1044
call <001E:1018>add %espcall <001E:103C>
call connectcall recv...test %eaxje <001E:101C>...push <0018:A704>call DnsQuery_W fu
nc3
func
2m
ain
001E:1000001E:1004001E:1008001E:100C001E:1010001E:1014001E:1018001E:101C001E:1020001E:1024001E:1028001E:102C001E:1030001E:1034001E:1038001E:103C001E:1040001E:1044
call <001E:1018>add %espcall <001E:103C>
call @hookconnectcall @hookrecv...test %eaxje <001E:101C>...push <0018:A704>call @hookDnsQuery_W fu
nc3
func
2m
ain
Inspector Gadget 21
Int. Secure Systems LabVienna University of Technology
Extraction Overview
step 4:gadgetcreation
step 4:gadgetcreation
Extract gadget (standalone Dll) thatcan be imported into any (binary)application offering environment hooks.
Extract gadget (standalone Dll) thatcan be imported into any (binary)application offering environment hooks.
Inspector Gadget 22
Int. Secure Systems LabVienna University of Technology
Gadget Replay
Inspector Gadget 23
Int. Secure Systems LabVienna University of Technology
Gadget Player
• As library, the gadget can be reused in many areas– statically linked into the application– dynamically loadable
• … but, application must confine gadget execution– handle crashes (e.g., possible, invalid memory accesses)– one possibility: code emulation– here: separate, monitored thread with signal handling
• … and mediate accesses to the host OS– gadgets are guaranteed to contain no calls to system or API
functionality directly– each access is done through environment hooks
Inspector Gadget 24
Int. Secure Systems LabVienna University of Technology
Gadget Player
• Host OS accesses mediation: environment hooks– every system / API call is redirected to the gadget player
(using a multiplexor function)– player has the possibility to sanitize and/or manipulate call
parameters– if player decides to allow
the API invocation, calland parameters areforwarded to the actualimplementation (e.g., in-side a Windows library)
Gadget playerGadget player
gadget thread environment interface
AdvAPI32
User32
Inspector Gadget 25
Int. Secure Systems LabVienna University of Technology
Gadget Inversion
• Player can use gadget as transformation oracle– input is transformed into output, depending on algorithm
implemented by gadget– example: sample reads local data, obfuscates, and transmits to
remote host
Inspector Gadget 26
Int. Secure Systems LabVienna University of Technology
Gadget Inversion
• Player can use gadget as transformation oracle– input is transformed into output, depending on algorithm
implemented by gadget– example: sample reads local data, obfuscates, and transmits to
remote host
• In many scenarios, the inverse algorithm would be interesting, however– we capture obfuscated traffic and want the plain-text data that has
was transmitted
Inspector Gadget 27
Int. Secure Systems LabVienna University of Technology
Gadget Inversion
• Player can use gadget as transformation oracle– input is transformed into output, depending on algorithm
implemented by gadget– example: sample reads local data, obfuscates, and transmits to
remote host
• In many scenarios, the inverse algorithm would be interesting, however– we capture obfuscated traffic and want the plain-text data that has
was transmitted
• In the paper, we present basic inversion capabilities:– detect (taint) dependencies between bytes in input and output– apply guided brute-force heuristics to invert algorithm contained in
the gadget
Inspector Gadget 28
Int. Secure Systems LabVienna University of Technology
So … again, why...?
Inspector Gadget 29
Int. Secure Systems LabVienna University of Technology
Gadget Benefits
• … so why not simply execute it in a VM (over and over again)?– sleep timeouts: can be eliminated during gadget extraction– fast & lightweight analysis:
• no virtual environment, snapshot restoring• we ran our analysis on Linux (under Wine)!
– precise, uncluttered behaviorobservation
– advanced monitoring: theplayer has access to thegadget's heap and stackregions!
– environment tampering: allrequests go through a singleinterface: tamper with date ortime, registry settings, hostOS, remote hosts contacted, ...
Gadget playerGadget playergadget thread environment interface
User32
Inspector Gadget 30
Int. Secure Systems LabVienna University of Technology
Gadget examples
Inspector Gadget 31
Int. Secure Systems LabVienna University of Technology
Conficker DGA
• Conficker generates (pseudo) random domain names upon startup
• Current time, fetched from remote site (e.g., msn.com), controls domain generation randomization seed
• Randomly selected domain name is used for contacting C&C host
• Gadget:
– start extraction (slicing) from invocation of DnsQuery_W
– extracts complete Domain Generation Algorithm (DGA)– see one domain on query invocation– find all domains on gadget heap
• Possible environment tampering:– manipulate remote site's reply to change DGA input (i.e., date for
which domains are generated)
Inspector Gadget 32
Int. Secure Systems LabVienna University of Technology
Conficker DGA
P. Porras et al. “A Foray into Conficker's Logic and Rendezvous Points
Inspector Gadget control flow “debug output”
Inspector Gadget 33
Int. Secure Systems LabVienna University of Technology
Cutwail Spam Templating
• Cutwail (mass-mailer) generates spam Emails from templates downloaded from remote C&C hosts
• Communication employs proprietary encryption algorithm
• Template is not stored on file system– content decrypted and handled solely in memory
• Gadget:– inspect download behavior– start extraction after download is complete– Inspector suggests to automatically refine extraction
starting-point to end-of-decryption– extract complete template download & decryption algorithm
Inspector Gadget 34
Int. Secure Systems LabVienna University of Technology
Cutwail Spam Templating
"{_FIRSTNAME} {_LASTNAME}" <{MAIL_FROM}> Hello my new friend, I search a good man at other country...\n For me it to communicate for the first time with the person from other country, by Internet.\nAnd it ... {nReceived} MessageID: <{DIGIT[10]}.{SYMBOL[8]} {DIGIT[6]} @{nHOST}> From: {TAGMAILFROM} To: <{MAIL_TO}> Subject: {SUBJECT} Date: {DATE} MIMEVersion: 1.0 ContentType: multipart/mixed; boundary="=_NextPart_000_0006_{_nOutlook_Boundary}" XPriority: 3 XMSMailPriority: Normal XMailer: Microsoft Outlook Express {_nOutlookExpress_4}
"{_FIRSTNAME} {_LASTNAME}" <{MAIL_FROM}> Hello my new friend, I search a good man at other country...\n For me it to communicate for the first time with the person from other country, by Internet.\nAnd it ... {nReceived} MessageID: <{DIGIT[10]}.{SYMBOL[8]} {DIGIT[6]} @{nHOST}> From: {TAGMAILFROM} To: <{MAIL_TO}> Subject: {SUBJECT} Date: {DATE} MIMEVersion: 1.0 ContentType: multipart/mixed; boundary="=_NextPart_000_0006_{_nOutlook_Boundary}" XPriority: 3 XMSMailPriority: Normal XMailer: Microsoft Outlook Express {_nOutlookExpress_4}
Inspector Gadget 35
Int. Secure Systems LabVienna University of Technology
Cutwail Spam Templating
configver 194 addr 91.206.231.230 port 25 knockdelay 60 mxrecvtimeout 120 mxconntimeout 120 maxtrybadfrom 1 maxtryconn 5
configver 194 addr 91.206.231.230 port 25 knockdelay 60 mxrecvtimeout 120 mxconntimeout 120 maxtrybadfrom 1 maxtryconn 5
FIRSTNAME Christi Lea Staci Jodie Summer Katharine ...
LASTNAME Schafer Stacy Grayson Ham Landers Mims Parham Pritchett ...
name Lusia R., Texas Lusia R., New York Lusia R., Chicago Lusia R., Colorado Lusia R., Boston Lusia R., Washington Lusia R., Las Vegas Lusia R., Bellevue WA Lusia R., San Diego Amelia B., Chicago ...
FIRSTNAME Christi Lea Staci Jodie Summer Katharine ...
LASTNAME Schafer Stacy Grayson Ham Landers Mims Parham Pritchett ...
name Lusia R., Texas Lusia R., New York Lusia R., Chicago Lusia R., Colorado Lusia R., Boston Lusia R., Washington Lusia R., Las Vegas Lusia R., Bellevue WA Lusia R., San Diego Amelia B., Chicago ...
nHOST{nChar[515]}.{nChar[515]} .{LET:ru,org,com,va,net,biz, info,tv,ua,su}
nReceivedReceived: from [{nIP}] (helo={nHOST}) {N[1]}by {BOT_HOST} ...
nHOST{nChar[515]}.{nChar[515]} .{LET:ru,org,com,va,net,biz, info,tv,ua,su}
nReceivedReceived: from [{nIP}] (helo={nHOST}) {N[1]}by {BOT_HOST} ...
Inspector Gadget 36
Int. Secure Systems LabVienna University of Technology
URLZone Config Update
• URLZone (BHO banking-trojan) sniffs and manipulates user interaction with banking web-site
• Steals credentials and hides previous (malicious) transactions from user
• Remote configuration through encrypted configuration files– domains to attack– URLs to inspect– form content to modify
• Gadget:– extract complete template download & decrypt algorithm– similar to Cutwail gadget
Inspector Gadget 37
Int. Secure Systems LabVienna University of Technology
URLZone Config Update
STATA ITINJHOST=|my.hypovereinsbank.de|End ITINJPAGE=|/*?view=/*|End ... ITINJSTART=|Aktueller Kontosaldo</label>[*] <p class="right">|End ITINJEND=|</p>|End ITINJCODE=||End ITINJPASTE=|%HYPOBAL%+%AMOUNT%%TRUEAMOUNT%|End ITINJPASTEMN=|<span class="negativebalance">%HYPOBAL%+%AMOUNT% %TRUEAMOUNT%</span><span class="negativebalance">EUR</span>|End
STATA ITINJHOST=|my.hypovereinsbank.de|End ITINJPAGE=|/*?view=/*|End ... ITINJSTART=|Aktueller Kontosaldo</label>[*] <p class="right">|End ITINJEND=|</p>|End ITINJCODE=||End ITINJPASTE=|%HYPOBAL%+%AMOUNT%%TRUEAMOUNT%|End ITINJPASTEMN=|<span class="negativebalance">%HYPOBAL%+%AMOUNT% %TRUEAMOUNT%</span><span class="negativebalance">EUR</span>|End
=======================POST======================= [ITBEGINBLOCKHOOK] ITHOST=|banking.postbank.de|End ITPAGE=|/app/login.d*|End ITMETHOD=|2|End ITIFINIT=|%DISP%|End ITREQMATH=|jsOn=*&accountNumber=*&pinNumber=*|End
=======================POST======================= [ITBEGINBLOCKHOOK] ITHOST=|banking.postbank.de|End ITPAGE=|/app/login.d*|End ITMETHOD=|2|End ITIFINIT=|%DISP%|End ITREQMATH=|jsOn=*&accountNumber=*&pinNumber=*|End
Inspector Gadget 38
Int. Secure Systems LabVienna University of Technology
Summary
• Dynamic analysis is resource consuming, results are cluttered and limited to temporary snapshots of malicious behavior
• Inspector allows to automatically extract behavior into standalone gadgets
• Gadgets can be reused in many scenarios and – enhance information extraction– simplify repeated analysis of behavior
• Evaluation shows that extraction is applicable to real world, malicious programs
Inspector Gadget 39
Int. Secure Systems LabVienna University of Technology
Thanks for listening!